When the iPhone is turned off, most wireless chips, including Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB), remain active for up to 24 hours. This way the phone can still be found via the Find My network and you still have access to things like credit cards, student cards and digital keys.
The wireless chips run in a Low-Power Mode (LPM), not to be confused with the power-saving mode that extends battery life. Support for LPM is implemented in the hardware, which means that this problem cannot be solved with a software solution.
The problem seems to stem from the fact that LPM features are designed around functionality and apparently not much attention has been paid to potential threats outside of the intended applications.
Find My after power off turns closed iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not protected against tampering. Tracking properties can be secretly changed by attackers with system-level access.
The findings were disclosed to Apple and the company also read the paper, but did not provide any feedback.